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Reasoning about security properties involves reasoning about where the information of a system 
is located, and how it evolves over time. While most security analysis techniques need to cope 
with some notions of information locality and knowledge propagation, usually they do not provide 
a general language for expressing arbitrary properties involving local knowledge and knowledge 
transfer Building on this observation, we introduce a framework for security protocol analysis based 
on dynamic spatial logic specifications. Our computational model is a variant of existing ;7r-calculi, 
while specifications are expressed in a dynamic spatial logic extended with an epistemic operator 
We present the syntax and semantics of the model and logic, and discuss the expressiveness of the 
approach, showing it complete for passive attackers. We also prove that generic Dolev-Yao attackers 
may be mechanically determined for any deterministic finite protocol, and discuss how this result 
may be used to reason about security properties of open systems. We also present a model-checking 
algorithm for our logic, which has been implemented as an extension to the SLMC system. 

1 Introduction 

Among the several artifacts in the field of computer security, security protocols are indubitably a fun- 
damental subject of study and research |[T2l[m . Security protocols serve a variety of purposes, ranging 
from secrecy and authentication to forward secrecy and deniable encryption. A conmion trait of these 
protocols is their notoriously difficult design, which often leads to unforeseen vulnerabilities. 

Therefore, it becomes essential to develop techniques that ensure the correctness of protocols, with 
respect to some specification of the properties they aim to establish. A wide range of language-based 
techniques have been proposed to analyze protocols and their correctness, such as type systems, process 
calculi or static analysis Emm which in many cases result in successful tools ll5ll4llT3ll9]|. 

In this paper we propose a framework for protocol analysis based on process calculus models and 
logic specifications. While the usage of process calculi and logic in this context is not new |[T4l [8ll2l. 
our approach stems from the fact that many interesting properties of such systems are often a function 
of what information the several parts of a system may or may not obtain. While other frameworks (e.g., 
Avispa [4 | and Casper (TS]) allow one to efficiently verify a wide range of interesting security properties, 
these are not usually stated in this high-level knowledge oriented approach. 

Our contribution consists of a dynamic spatial epistemic logic that allows reasoning about systems 
(modelled in a variant of the applied 7r-calculus |[2l) at three levels: the dynamics of systems and subsys- 
tems, the spatial arrangement of systems and subsystems, and the knowledge (the obtainable information) 
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SCpkp.pkq, sks, pks) = c?(h). select { [pkp = getpk(h)] .c! (enc_as(pkp,sks)) .S(pkp,pkq) ; 

[pkq = getpk(h)] .c! Cenc_asCpkq, sks)) .S(pkp,pkq) }; 

defproc PCskp,hostQ,pks) = c! (hostQ) .c?Cm) .let pkQ = dec_asCm,pks) in 

new sK in c! Cenc_as(sK,pkQ)) .c! (enc(v,sK)) .ok! (v) ; 

Q(skq) = c? (ml). let sK = dec_asCml , skq) in c?Cm2).let val = dec(m2,sK) in ok!(val); 

defproc Sys = new skp, skq in let pkp = pk(skp) in let pkq = pk(skq) 

in let hP = host(pkp) in let hQ = host(pkq) 
in (SCpkp,pkq) | PCskp.hQ) | Q(skq)); 

World = Sys | Attacker (Sys) ; 

prop pqK = eventually (knows v | knows v | not (knows v)) 
and always (2 | not (knows v)); 

check World |= pqK; 

* Process World satisfies the formula pqK * 

Figure 1 : A Motivating Example 

of systems and subsystems. The goal is to produce an expressive property language with which we can 
reason about a protocol by separating it into its different agents (malicious and otherwise), and then rea- 
son about the knowledge they can obtain and how it can evolve over time. This enables us to express 
interesting security properties in a very direct way (eg. agents P and Q can obtain value v, while agents 
A and S cannot). To clarify our approach, consider the example of Fig. [T] 

We have a system Sys composed of three processes: P, Q and a key distribution server S . P wishes 
to exchange a value v with Q. To do so, he requests Q's public key from S , which S emits in a signed 
message. P then uses it to encrypt a generated symmetric session key and sends the key to Q. Afterwards 
P will send v encrypted with the session key and terminate. Q will receive the message, decrypt it to 
obtain v and terminate. We further model the system running with a malicious agent, defined through the 
primitive Attacker (Sys). This agent consists of a Dolev-Yao attacker which we discuss in Section |4~T] 

For this protocol to be correct, it must be the case that the malicious agent interacting with the system 
can never know v. Consider, however, a slightly stronger property: P and Q want to exchange v securely 
(with respect to the malicious agent) but they also do not completely trust the server S . They trust it to 
at least distribute the appropriate keys, but want some assurances that even though S operates according 
to protocol, it doesn't obtain the value v by observing the data exchanges between P and Q. 

This property, while not impossible to state in other frameworks, would usually require some sort of 
ad-hoc modification to the model (e.g, internalizing the server in an attacker, which seems like an indirect 
strategy at best and may not necessarily yield the correct model). In our framework, the property can be 
directly stated by combining our epistemic and spatial operators. A formula that reflects such a property 
is pqK: first we state that the system can evolve to a configuration where two of its subsystems (P and 
Q) know V, but the remaining parts of the system do not. This illustrates the expressiveness of the logic 
in terms of reasoning about the knowledge of several parts of the complex system. Secondly, we state 
that throughout all executions of the system, a part of it will never know v (2 indicates that there must 
be two agents running with the part that does not know v - a precise definition is given in Section |3j. By 
combining spatial reasoning with epistemic reasoning, we can state rich properties of the knowledge of 
agents (and groups of agents) - both adversaries and principals - within a complex system, and how they 
can share or restrict that knowledge over time. 

While our framework is aimed at reasoning about closed systems, meaningful analyses of security 
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protocols must necessarily consider attackers. Traditionally, attackers are modelled by an adversarial 
environment which interacts with the protocol. In our closed system approach, we develop a way inter- 
nalizing an arbitrary attacker within a closed system by automatically (or semi-automatically) deriving a 
process representation of such an attacker. This representation makes use of special primitives built into 
the process calculus to greatly simplify the actual modelling of the attacker, to the extent that even if the 
attacker generation is done semi-automatically, it never requires us to actually encode specific attacks. 
In this work, we show that it is possible to automatically derive an attacker (behaving as a Dolev-Yao 
adversarial environment) for any finite protocol. To fully automate our technique (at the implementation 
level), further work is needed (as discussed in Section STT); the focus of the current paper being essen- 
tially on the expressiveness issues. In any case, we already provide tool support for arbitrary passive 
attackers and for bounded Dolev-Yao attackers (where the bound concerns the size of generated mes- 
sages); this technique can already be used to automatically find attacks, eg., as illustrated in the example 
of Section 1321 

The technical contributions of this work are as follows. We develop a process calculus model for se- 
curity protocols (Section |2!2] |. inspired in existing 7r-calculi, supporting explicit modeling of adversarial 
agents, at an adequate level of abstraction. We introduce a new dynamic spatial epistemic logic (Section 
|3]l, oriented for reasoning about spatial distribution of information. We develop a logic-based theory of 
knowledge deduction (Section IJ!2l ) for our models, proved sound, complete and decidable. This presen- 
tation was used in our model-checking algorithms. We discuss attacker representations (Section 14. It . 
and how it is possible to produce a generic Dolev-Yao attacker for finite protocols. We also show how 
to model and verify correspondence assertions (Section 14.21 ) in our framework. Finally, we implemented 
a model-checking algorithm for the logic as an extension to the SLMC tool, producing the first proof of 
concept tool aimed at security protocol analysis using spatial logic model checking. The proofs of our 
technical results are detailed in IITtI . 

2 Process Model 

In this section we introduce our process model, starting with some preliminary notions on terms and 
equational theory and then introducing our process calculus. 

2.1 Terms and Equational Theories 

Data exchanged by processes is modeled by terms of a term algebra. In order to capture cryptographic 
operations and data structuring, we will consider term algebras with equational theories (cf. [2|). 

We assume an infinite set of variables ranged over by x,y,z, an infinite set of names A ranged over by 
m, n and range over terms with s, t, v. Terms are defined from names and variables by applying function 
symbols. We thus consider a given term algebra to be defined from a signature X and an equational 
theory E that defines the "semantics" of the function symbols in E. An equational theory is a congruence 
relation defined by a set of equations of form t = s. 

In certain circumstances, an equational theory may give rise to a set of rewrite rules by orienting 
each equation to produce the rule t ^ s,m such a way that two terms are equal modulo E whenever that 
have a common reduct under rewriting. This is the case of subterm convergent equational theories ||T], 
which are the ones that we will focus on in this work (other equational theories, such as AC theories, can 
also be applied in this fashion, however with a slightly different formal treatment as detailed in [1]). A 
subterm convergent system is a convergent rewrite system in which in every rewrite rule the right-hand 



4 



A Spatial-Epistemic Logic for Reasoning about Security Protocols 



side is a proper subterm of the left-hand side. In this paper, we will assume a general rewrite theory K 
subject to the conditions above. Given a rewrite rule t s,v/e call the outermost function symbol in f a 
destructor, since the application of the rule may open the internal structure of inner terms in t to produce 
the term s. We classify the remaining function symbols, that never occur as a destructor, as constructors. 
For example, for signature E = {enc/2;dec/2) and equational theory E = {dec(enc(x, = x}, dec is 
a destructor and enc a constructor. We range over constructors with / and destructors with 6. 

We denote the set of names of a term T by names{T) and the depth of a term as \T\ (the depth is 
the length of the longest path in the tree representation of the term). We state that a term is ground 
if it does not contain variables. We denote by -e the usual congruence relation induced by the set of 
equations E (which can be decided through term rewriting since R is convergent). We write 5(iA) for 
the DY (Dolev-Yao) equational closure of a set of terms ip, that is, the set of all values (destructor-free 
terms) generated by terms of ^ through function application, modulo the equational theory. This closure 
represents all possible information that may be produced from a set of terms while following the rules 
of the equational theory, which if we interpret a set of terms as a set of messages, is the usual notion of 
knowledge from the Dolev-Yao model. 

Definition 2.1 (Equational Closure) Given a rewrite theory % the DY equational closure of a set of 
tenns i//, noted ^{i//), is the least set of terms such that: 

1. <AC5('A) 

2. V/ 6 Z. if f a constructor and f i , . . . , fj^ e 5('A) then f{t\ , . . . , fjt) e ^{^f) 

3. V5 € E. if 6 a destructor and f i , . . . , fjt e S(i/') and (5(f i , . . . , f/t) — > f' then t' e 5(^/') 

When interpreting the DY equational closure of a set of terms as obtainable knowledge, we can state 
knowledge derivation through term derivation. 

Definition 2.2 (Knowledge Derivation). Given sets of terms i// and (p, we say that (p may be derived from 
tff (written 4'\= <P) if and only if(f>Q 5(tA)- 

The general idea is that one may can derive a piece of information if it can be generated by combining 
pieces of information using the rules of the equational theory. Given these basic notions relative to terms, 
equational theories, and knowledge derivation, we may now present our process calculus model. 

2.2 Process Calculus 

It is known that the high level of abstraction of the 7r-calculus, convenient from a foundational perspec- 
tive, is not suitable for modeling cryptographic techniques as necessary for analyzing security protocols. 

We therefore adopt an extension to the 7r-calculus that extends the base values of the language with 
functional terms (cf. Section lZTI ). that can be seen as a fragment of the Applied ;r-calculus [2 |. We choose 
this calculus over the applied ;r-calculus mainly for simplicity reasons, not requiring active substitutions 
nor frames given that our goal is to use our logic to observe terms. 

We model cryptographic operations by defining such operations in a term algebra. The calculus is 
thus aimed at the explicit modeling of agents involved in security protocols, both principals and adver- 
saries. Principals are modeled standardly, using terms to model cryptographic terms. Adversaries are 
modeled as processes (cf. Section 14.11 ) using the attacker output prefix - a non-deterministic output of 
terms that can be generated from known values, which enables reasoning directly about attacker knowl- 
edge using our logic. 

Definition 2.3 (Processes) Given a signature Z, an infinite set of names ranged over by m, n, and an 
infinite set of variables ranged over by x,y,z, the set of processes (P, Q), of actions a and of terms T are 
defined in Fig. |2] 
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P,Q ::= (Null Process) 

P I Q (Parallel Composition) 

{vn)P (Name Restriction) 

a.P (Action Prefix) 

P + Q (Choice) 

let X = T in P (Let Construct) 



mix) 
m{T) 
m{*} 
[Ti = T2] 



(Input) 
(Output) 

(Attacker Output) 
(Test) 



n (Name) 
X (Variable) 
f{Ti,...,Ta) (Function) 



sub(6(t\ tfi)) = sub(ti ) U • • • U sub{tn) 
$ti with a variable or a destructor 



Figure 2: Process Calculus Syntax 

n is a name x is a variable 



sub{n) = n sub{x) = 
3ti with a variable or a destructor 



Sub(J{t\,...,tn)) - fih,---,tn) sub{f{t\,...,tn)) - Sub{ti) U ■ ■ ■ U Sub{tn) 

Figure 3: Relevant Sub terms 



Before introducing the semantics of our calculus, we present some definitions that pertain to obtain- 
ing the relevant terms of a process that are necessary for our semantics. 

A destructor function symbol denotes computation at the term level. If such computations are valid 
(under the equational theory), then the term containing the destructor can be rewritten as one that only 
has constructors. On the other hand, if such a term cannot be reduced (e.g dec(enc(m,^i),/:2))> it has no 
interesting meaning and has no place being communicated. To obtain the values (destructor free normal 
forms) of a process, we define a relation hyt that extracts the set of values tfr that occur in a process (P ifr). 
However, some care is needed in the definition of \-k since a term may contain bound names or variables. 
For instance, in the process a{x).a{dec{x,k)}.0, the term dec(.x,^) is not a proper value since it contains 
the variable x. In these situations, our extraction has to be such that it will produce a set containing k 
but not X (nor dec(x,^)). Similarly, when we consider the terms that are to be the object of our attacker 
output, while it is true that outputting a term containing a variable would be senseless, it is correct to 
output a term that contains a restricted name, even though the attacker may not be able to use the name 
in other messages. 

To take all this into account, we define a procedure sub that extracts the relevant subterms (not 
containing variables or destructors) of a term, and a procedure t used to eliminate terms with restricted 
names. 

Definition 2.4 (Relevant Subterms) Given a term M we define the set of its relevant subterms, written 
sub{M), by the rules of Fig. 13 

Definition 2.5 (Name Occurrence Term Removal) We define the removal of terms from a set ip in 
which the name x occurs, iff^x, as: (f/^x = {t\te(f/:x^ names{t)]. 

Definition 2.6 (Relevant Term Extraction) Given a process P, the set ip of relevant terms of P, written 
P \-k fjj, is defined by the rules of Fig. |?] 

For our attacker output we collect all ground terms that occur in the process, which we denote by gt{P). 

The semantics of our calculus are defined standardly, modulo a-conversion of bound names and 
variables, by a structural congruence relation, labelled transition and reduction, as follows. We denote 
by fn{P) and fv{P) the set of free-names and free- variables of process P, respectively. 
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P^k<P Q^k^ P^kV Q^k^ P^kf P{n<^M}i-k(p 



P + Q'rki^P^ii) P\Q'rk{ip^^) n{x).P\-k(fi \etn = M in P\-k(pUsub{M) 
Pi-k<P P^kf P^k<P 



OhkQ x{M}.P\-k(pUsub(M) {vn)P\-k(fi'\ n [M = N].P \-k sub(M)U subiN) 

Figure 4: Relevant Term Extraction 

n i fn{P) U fv(P) ^ P I (vn)g = (vn)(P \ Q) P\0 = P 

(vn)0 = P\Q = Q\P 

(vn)(vm)P = (vm)(vn)P P \(Q\ R) = (P \ Q)\ R 

M M' ^ let X = M in P = let X = M' in P P + Q = Q + P 

M M' ^ m{M).P = m{M').P P + (Q + R) = (P + Q) + R 

Mi^E M[ ^ [Ml = M2].P = [M[ = M2].P [Ml = M2] .P = [M2 = Mi] .f 

Figure 5: Structural Congruence 

Definition 2.7 (Structural Congruence) Structural congruence = is the least congruence relation on 
processes defined by the rules of Fig. \5\ 

We augment the standard structural congruence laws of the ;r-calculus with rules that equate processes 
modulo the equality -e of the equational theory. These laws are essential in our semantics because they 
allow us to block processes performing actions that use terms that are not values (i.e. terms that contain 
destructors). 

Our semantics, which we now present, capture these destructor freedom conditions. If a process 
is attempting to use a term that contains a destructor, we use structural congruence to rewrite the term 
destructor-free and reduction proceeds. If the term cannot be rewritten destructor-free, reduction halts. 
These restrictions ensure that all received terms are actual values, and not some arbitrary erroneous term. 
Note the semantics of our attacker output, expressed in the Attacker rule, that enable the output to emit 
any message that can be generated by the process, given its ground terms and some fresh values. 

Definition 2.8 (Reduction Semantics) The reduction relation P — > Q over closed processes is defined 
as the least relation closed under the rules of Fig. |6] 

a 

Definition 2.9 (Labelled Transition Semantics) The labelled transition relation P — > Q is the least 
relation on closed processes closed under the rules of Fig. 

Our labelled semantics is not intended to characterize a complete notion of behavioral equivalence as 
could be expected, but rather to allow the observation of actions in our logic. Despite not belonging 
to the scope of this work, we can point out that our labelled semantics do not allow for a complete 
characterization of behavioral equivalence, in the sense that our rules reveal information in a way that 
induces a higher discriminative power then that of behavioral equivalence. 



3 Logic 

Considering it is common to reason about security by reasoning about the knowledge of principals, we 
explore key aspects of dynamic spatial logics, such as local reasoning, to develop a logic that can reason 
about epistemic, dynamic and spatial properties of agents. 

We propose an extension to a dynamic spatial logic [7 | to enable reasoning at the term level. Our 
extension consists of adding two epistemic modalities: denotes the ability of an agent to derive 
from its knowledge, and Sx.A allows us to mention values that are only known by an agent (e.g. secrets). 
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M is destructor-free M is destructor-free 

-(Let) — - — 1 — — — — —(Sync) 



letx^MinP^P{x'^M} n{M).P + R\n{x).Q + S ^ P\Q{x M] 

Ml and M2 are destructor- free M\ -e M2 P — > Q P — » Q 

'■ (Test) (Par) (Scone) 

[Mi^M2\.P P P\R^Q\R (vn)P (vn)Q ' ' ' 

P = P' P' Q' = Q MemctiQ)^h) h fresh 

-(Cong) z (Attacker) 



P^Q c{x).P + R\c{*).Q + S ^{vn)(P{x^M}\Q) 

Figure 6: Reduction Semantics 

P — > O M is destructor-free „ M is destructor-free „ 
^ (Tau) (Out) ^ (Inp) 

n ^ n(M) n(M) 

P^Q n{M).P —4 P n(x).P -4 P 

Me^(gt(P)U-s) s fresh P Q Sneu: ninamesja) 

vs.n(M) a Kt<^e,S) 

n{*}.P — > P (vu)P — >(vM)e 

n{M) _ _ _ - _ _ (, 

P — > f" s Q name s(M) and s C u u'-u\s , ,^ , P = P' P' > (T O' = O 

^ ^ (BoundOut) P {J -U ^ 

Ys.niM) - a °' 

{vu)P (vu')P' P^Q 



Figure 7: Labelled Transition Semantics 

Our intent is to couple the ability to reason about properties of space and behavior with that of reasoning 
about derivable information modulo the equational theory. Our notion of knowledge is therefore the 
ability of an agent to derive terms from the information it possesses. 



3.1 Syntax and Semantics 

The syntax and semantics of our logic are presented in Fig. |8] We refer to (f>,ij/ as knowledge formulas 
and ambivalently use to denote both knowledge formulas and finite sets of terms. The boolean 
connectives are standard. denotes the empty process; A \ B denotes a process that can be partitioned in 
two components, one satisfying A and the other satisfying B; Hx.A allows us to mention restricted names 
of processes in formulas; a. A denotes a process can perform action a and continue as a process satisfying 
A; dA and OA denote "always in the future" and "sometime in the future", respectively. K4> holds of a 
process that has the ability to derive the temis denoted by 0, that is, the ability to know 0; Sx.A holds of 
a process that satisfies property A that depends on a value that is secret to a process - a term containing 
a restricted name. It is also useful to define an auxiliary counting predicate (written as n, where n is 
a natural number), that allows us to count the number of sub-processes within a process. For instance, 
a process consisting of a single thread would satisfy the formula 1 defined as -lO A -i(-iO | -lO), while a 
process consisting of two sub-processes would satisfy the formula 2 defined as -lO A -il A -■(-■0 | -lO | -lO), 
and so on. 

With this logic, we can state properties about the knowledge of agents (and not only adversarial ones) 
over time, such as "it is never the case that the secret key is known by 3 subsystems": 

-^OH key.{K key \Kkey\K key) 



or "it is always the case that 2 agents know the key and one does not": dH key.(K key \ K key \ -iK key). 
Since the semantics of our logic blur together processes that are structurally congruent (e.g. P \ Q and 
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A,B 



T 


(Trae) 


-.A 


(Negation) 


Aab 


(Conjunction) 





(Void) 


A\B 


(Composition) 


Hx.A 


(Hidden quantification) 


a.A 


(Action) 


□A 


(Always) 


OA 


(Eventually) 


@« 


(Free-name Predicate) 


K(p 


(Knowledge) 


Sx.A 


(Secret quantification) 


tp Alf) 


(Conjunction) 


t 


(Term) 


T 


(True) 





= True 


r> \— A - 
r p 


not r \^ A 




= P 1= A and P \= B 


-f 1 \J 


= PsO 


P 1= A 1 B -- 


= 3Q,R.P = Q\Rand Q\= A and R\=A 


P 1= \-\x.A -- 


= 3Q.P = (vn)Q and Q\= A{x <^ n] 


P F a.A - 


= diJ.P — > and y F A 


P|= dA = 


= Vg s.t P ^ g f/ien e 1= A 


Ph OA -- 


= ag.P g one/ e 1= A 


P\^@n = 


^ «e/«(P) 


P|=K0 = 




P 1= Sx.A = 


= 3e,r.p = (vfe)ea«<iei=A{-x^f) 




ant/ Q^k <P such that t e cf) 




and k € names(t) 



0,^ 



Figure 8: Logic Syntax and Semantics 

Q I P), we can use the free-name predicate to "tag" specific subsystems and reason about their knowledge 
explicitly: dH key. {@ tag aK key \ T) which denotes "it is always the case that an agent with the free name 
tag knows the key" (this subsumes the need for an indexed knowledge operator such as that in lITSl ). 

Notice how the expressiveness of the logic arises from the ability to combine the three types of 
modalities: dynamic (□,<>), spatial (H, | ) and epistemic (K). The dynamic connectives allow us to range 
over a specific execution or all possible executions, the spatial connectives allow us to mention restricted 
names (usually used to model keys and nonces) and to refer to subsystems, and the epistemic coimectives 
allow us to analyze derivable terms of a process. 

The semantics for K<p pose a challenge in the sense that they use the notion of knowledge derivation 
from Section 12.11 While this definition is adequate from a semantic perspective, it makes use of the DY 
equational closure of a set which is not stable by reduction of terms, and thus doesn't provide a clear 
way of algorithmically determining if (A |= 0. We approach the problem with a purely logical approach 
and characterize knowledge derivation with a structural proof system for knowledge formulas, unlike the 
approach of Qj. 



3.2 Proof System for Knowledge Formulas 

Our proof system, formulated as a sequent calculus, is equipped with rules from the equational theory 
in order to consider the ability to combine terms to generate new information. Each rule of our calculus 
represents a possible computational step that an agent can perform on terms to produce a new term. 
Intuitively, if a sequent F h is derivable, the knowledge formula cp is deducible from the knowledge 
represented by F. 

Definition 3.1 (Proof System K for Knowledge Formulas) The sequent calculus formulation of our 
proof system Kfor knowledge formulas is defined by the rules of Fig. [9] 

The rules for identity and conjunction are standard. Rule funRight states that we are justified in conclud- 
ing a complex term if we can derive its subterms. Rule AttLeft states that all that can be derived from a 
complex term f{t\,. ..,tn) can also be derived from its subterms; rule DestrLeft reflects the equalities of 
the equational theory: what can be deduced from s can also be deduced from terms equal to s under the 
equational theory. 
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(Id) 



r,A,BhC 



(A: left) 



(A: right) 



T,A\-A 



r,AABhC 



FhAAB 



For every constructor function symbol / with arity n, such that / E S: 




r, f(fi,...,f„) h c 

(funRight) '"V (AttLeft) 



For every equation /(f i , . . . , 



(DestrLeft) 



t„) = i e £: 



r,/(f,,...,f„)hC 



Figure 9: Proof System for Knowledge Formulas 



For the sequent calculus K, we establish the results of soundness, completeness and decidability. 
Theorem 3.2 (Soundness of K) Given a set of terms S and a term A,ifS\-A then S \= A. 



Theorem 3.3 (Completeness of K) Given a set of terms S and a term A, if S \= A then S \- A. 

Theorem 3.4 (Decidability of K) For any set of terms S and term A, S \- A is decidable. 

The proofs of completeness and decidability rely on a finite approximation result for the DY equa- 
tional closure of a set of terms. More concretely, for each finite set of terms S and equational theory, 
it is possible to build a finite set b{S ) from which all terms in the DY equational closure of S may be 
determined. 

Proposition 3.5 (Approximation of 5(5' )) Let S be a finite set of terms. We may construct in polyno- 
mial time an approximation to ^{S), named b{S), a finite set with the following property: 



where C[-] is afunctional context solely built out of constructors. 

Proof: The finite approximation b{S) is built from the terms of S by interpreting the rewrite rules of 
the theory as contexts of a bounded size. Therefore, applying function symbols to terms of S up to the 
bound of the context produces a new term by then applying the rewrite rule. This procedure is iterated, 
eventually reaching a fix-point, due to the subterm convergency property of the equational theories ( the 
idea is that each time we produce a new term, the term will be smaller then the terms used to generate 
it). The resulting computable set has the property that defines our approximation [17^. ■ 

The approximation b{S ) is such that all terms of %{S ) can be built from terms of b{S ) just by applying 
constructors, no longer requiring the equations from the theory. Completeness follows from the fact that 
our proof system is able to emulate the computation steps required to generate the approximation. Given 
a set of terms 5 , b{S ) is generated by applying functions to terms of S , applying a rewrite rule to the 
resulting term and iterating. Thus, our proof system is complete since the computation steps of b{S) may 
be emulated by the rules of proof system K, and we may then apply function symbols to terms of b{S ) 
to produce terms of 5(5). The latter is trivial due to funRight and AttLeft. The former we prove through 
the following lemma. 

Lemma 3.6 (Completeness of K Lr.t the Approximation). Given a set of terms S,if t e b{S) then S \- 1. 
Proof: Through instances of AttLeft it is possible to apply functions to terms ofS up to the bound of the 
context used in b{S ). Through an instance of DestrLeft the corresponding rewrite rule can applied, and 
through Id the new term is derived at the root of the proof tree HI 7\l . ■ 



Proof: By induction on the derivation ofS\-A 



VM e 5(5 ), 3CJe b{S ) such that M = C[t] 
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To emulate the iteration with the proof system, that is, to perform similar computations with S and the 
new term, the auxiliary result of reasoning with cuts is required. 

Lemma 3.7 (Cut Admissibility in K). IfV \-A and Y,A\-C then Y \-C. 
Proof: See /(ZZl/. 

Using Cut, the proof system is able to emulate the iterative procedure by building the previously de- 
scribed proof tree that allows the derivation of a new term, and using the new term as the cut formula. 
This technique can then be applied to produce any term of b{S), as required. Since the computation of 
b{S) always terminates. Theorem l3.4l holds. 

3.3 Model-Checking 

We know that model-checking is decidable for the logic without the new modalities 171, for the class of 
bounded processes. Therefore, we need only show that our two modalities preserve decidability. 

Proposition 3.8 (Decidability of model-cliecking K) Let <p be a finite set of terms. Checking that P \= 
K(f) is decidable. 

The above proposition holds since for any process P it is possible to collect its set of relevant terms \]j 
(P \-k lA)' compute the finite approximation bit//) and check that each term in (p can be constructed from 
terms of bit//) by application of constructors. 

Proposition 3.9 (Decidability of model-ciiecking Sx.A) Checking that P \= Sx.A is decidable. 

Decidability of Sx.A follows from the fact that if P = {vn)Q, it is possible to collect the set \fj of relevant 
terms of process Q, pick some term t from ip that contains the name n and check that Q \= A{x <— t}. Given 
that model-checking the core logic with K is decidable, it follows that checking P \= Sx.A is decidable 
and therefore model-checking for our logic is decidable for the class of bounded processes. 

Theorem 3.10 (Decidability of Model-Checking) Checking that P \= A is decidable for the class of 
bounded processes. 

4 Expressiveness and Extensions 

Having presented our framework, we discuss some extensions to our work that can be used to model and 
analyze systems. In particular, we discuss the representation of attackers and modeling and verification 
of correspondence assertions [,18 J in our framework. 

4.1 Modeling Attackers 

To analyze a security protocol one usually needs to consider how it behaves in any possible environment. 
While our logic focuses on the analysis of closed systems, it is possible to verify properties of a system 
in an arbitrary environment, by internalizing an arbitrary attacker in the system. The general idea is that, 
for any process P, we may determine a process Q (making essential use of the attacker prefix construct) 
such that P\Q reaches some state whenever P reaches an equivalent state when placed in an arbitrary 
environment. While the explicit specification of an attacker for a given protocol may not be easy, our 
approach to represent the attacking environment is quite different and general, and may indeed be used 
to find attacks (see example in Section |4^ . We can generically model a Dolev-Yao [ 12] attacker in our 
framework by considering the number of message exchanges and the communication channels used in a 
protocol. 
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A(K) ^ (vKab,N)c{enc(pair(Kab,N),K)).c(x).[N-l^dec(x,K,b)] 

B(K) = c(x).letKab = £st(dec(x,K))N ^ snd{dec(x,K)) in c{enc{N -I, Kab)) 

Sys ^ (yK)(A(K)\B(K)) 

Figure 10: Modeling the Example 

Attacker = c{x).c{*).c{y).c{*).mem{x,y) 

World — {Sys \ Attacker) 

World h -'0HA:.(2 | {@mem A H)) 

Figure 1 1 : An Attacker for the Example 

Considering an arbitrary protocol modeled as a process, the role of an attacker is to intercept all 
communications of the principals and be able to inject any message it can produce, given its knowledge 
at the time, at any point where a principal expects to receive a message (cf. our attacker output). Thus, 
a Dolev-Yao attacker consists of a process that for all outputs of the protocol performs an input (storing 
the received message) and for all inputs performs an attacker output. For instance, consider the following 
protocol, where is a shared key, N a fresh value and Kab a session key generated by A: 

A^B: {Kah,N}K 
B^A:{N-\]k^, 

In our process model, such a protocol would be represented as done in Fig. [TO] (we omit the signature 
and equational theory). An attacker for this protocol, following our attacker schema is presented in Fig. 
[TTl We can then state that it is never the case that the attacker can know one of the keys used in the 
protocol. While some minor effort of representing an attacker is necessary, we can easily represent a 
generic attacker for a protocol by following a pre-determined schema. 

We currently only consider finite protocols, modeled as processes in our calculus that use a commu- 
nication channel c as their communication medium (written Pc). We have not pursued infinite protocols 
as of yet, but we believe it to possible to extend our approach to infinite protocols by defining the attacker 
as a recursive process with a parallel store (that is used to store the messages of the protocol). To analyze 
such a system, we would then employ recursive formulas by using the fixpoint operators of the logic. 

Our attacker for finite protocols is defined as follows: For each output on c, the attacker performs an 
input on c (and stores the message). For each input on c, the attacker performs an attacker output. 

Definition 4.1 (Attacker Generation Procedure) Given a process Pc that models a finite protocol, the 
set S that tracks the attacker memory, an attacker for P can be generated by procedure Attacker(/',>S') 
defined in Fig. \T2\(x and m are fresh in P and the attacker). 

The generation procedure produces the necessary actions by inspection of the process dynamics: if an 
output can occur in the process, the attacker intercepts the message and memorizes it; if an input can 
occur in the process, the attacker injects any message it can produce from its knowledge; in the case 
where the protocol has no more actions, we represent the attacker memory with an output m{xi ,...,Xn), 
modeling the attacker's memory throughout the protocol ran. We thus show how an attacker can be 
extracted by inspection of the considered protocol. We can show that this attacker is general in our 
framework, in the sense that it can simulate the behavior expected from an adversarial medium (cf. 
Dolev-Yao attacker). Note that this result does not yet fully apply to our tool implementation, as we 
discuss later in this section. 
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proc Attacker(P,5) = 
\i P Q A a - input on c then c(*).Attacker(g,5) fi 
if f 2 A a = output on c then c(x).Attacker(g,5 Ux) fi 
if f then m{xi,. . .,x„) where e S fi. 

Figure 12: Attacker Generation 

Definition 4.2 (K-Set) Given a process P, we define its K-Set Kp, the set of all terms known by P as: 
Kp = {t\P^K.t} 

Theorem 4.3 (Monotonicity of K-Sets under Synclironization) Let Pc and Abe a processes such that 

c{M) c(x) 

Pc — > P'c and A — > A'. We have that Ka' Q U M). 

We begin with the K-Set of a process, the set of all terms known by the process that we observe 
in our logic, and we show that the evolution of arbitrary processes' K-Sets through synchronization is 
monotonic: the resulting process' knowledge will be a subset of the initial process' knowledge, plus 
any received messages. We state a similar property of our generated attacker's K-Set. Over time, the 
attacker's K-Set captures all messages exchanged in the protocol. 

Theorem 4.4 (Monotonicity of Attacker Storage) Let Pc and At be processes such that 

c{M) cix) 

Af ^ Attacker(Po{},c), P — ^ P' and At — ^At'. We have that Kav = ^iKAt^M). 

Our Attacker Simulation (Lemma [4.5l l and Process Knowledge (Lemma 1431 ) lemmas provide some 
insight on the expressiveness of our attacker. Lemma |43] shows that a generated attacker, can obtain as 
much knowledge as an arbitrary process interacting with a finite protocol. Lemma 14.61 states a similar 
property, regarding the knowledge a finite protocol may obtain while interacting with our attacker. 

Lemma 4.5 (Attacker Simulation) Let Pc and A be processes. 

If{vn){Pc I A) — > ivh)iP'^ I A') and At = Attacker(/'c,'S') with Ka Q Kai then 3At',S' such that 
(vn)(Pc I At) {vh){P'c I At') and At' - Attacker(/';,5 US') and Ka' £ KAf. 

Lemma 4.6 (Process Knowledge) Let Pc, A be processes and (p a knowledge formula. 

If(yn){Pc I A) ^ (yri){P'c \ A') and P'c N and At = Attacker(Pc,5) with Ka £ Kai then 3At',S' such 

that {Yn){Pc I At) ivn){P'c \ At') and P'c \= K<p and At' = Attacker(/';., SuS'). 

Furthermore, from Lemma |46] follows that, in our logic, a finite protocol interacting with an arbitrary 
process is indistinguishable from one interacting with our attacker. Combining these results, we can show 
that our attacker can behave as one would expect of an adversarial Dolev-Yao agent. 

Theorem 4.7 (Preservation of Satisfaction) Let Pc and A be processes and A any formula. If 
ivh)iPc I A) {vh)iP'^. I A') and P'c\=A and At = Attacker(P,.,5) with Ka QKai then 3At',S' such that 
{vh){Pc I At) {vh){P'c I At') and P;. h A and At' = Attacker(P;,5 US'). 

Notice that this result follows from the fact that message size for the attacker output prefix is unbounded. 
Our implementation currently bounds the generated message, to ensure tractability, and thus sacrificing 
completeness. However, as shown in 1 16 1, it is possible to compute a finite bound on the message size 
required to find an attack. The implementation of this result we leave for future work. It is anyway 
important to note that our method is already sound and complete for passive attackers, even for the case 
of non finite processes (eg. we may consider any finite control system, or bounded in the sense of [7 1). 
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parameter attacker_depth = 2 ; 

defproc ACk) = new N in c! (enc(N,k)) .c?Cx) . [decCx,k)=h(N)] .end! (hCN)) ; 
defproc B(k) = c?(x) . (begin! (dec (x,k)) | c ! (enc(h(dec(x,k)) ,k))) ; 
defproc Sys = new k in (A(k) | B(k)); 
defproc Attacker = c?(v) .c! (*) .s! (v) ; 
defproc World = (Sys | Attacker) ; 

defprop begin = <begin!> true; 

defprop end = <end!> true; 

defprop corrsp = always (end => begin) ; 

check World |= corrsp; 

Processing. . . 

* Process World satisfies the formula corrsp * 

Figure 13: Checking Correspondence in a Toy Protocol 

defproc Sys = new k in (c!(k).(A(k) | B(k))); 
defproc Attacker = c?(u) .c?(v) .c! (*) .s! (v,u) ; 
defproc World = (Sys | Attacker) ; 

check World |= corrsp; 
Processing . . . 

* Process World does not satisfy the formula corrsp * 

Figure 14: Checking Correspondence in a Broken Toy Protocol 
4.2 Modeling Correspondence Assertions 

Correspondence assertions are a technique for verifying authentication properties in protocols lITSl . The 
idea is that the model of each principal in a protocol is refined with begin/end events, named correspon- 
dence assertions, at each stage of an authentication procedure. Authentication will be established if, 
for every run of the protocol, all end events for each stage are preceded by a matching begin event. To 
illustrate the idea, consider the following protocol: 

A ^ B : {N]k', B asserts the reception of 

B A: {h(N)}k; A asserts the reception of h(N) 

Principals A and B share a symmetric key k, N is a. fresh value and /j is a one-way hash function. When 
B receives {N]k it asserts the beginning of the run of the protocol. B sends message {h{N)}k so that A 
can verify the freshness of the run, by comparing the received value with its own hash of N. If the test 
succeeds, A asserts the reception of h(N) and the end of the run. To check correspondence, one has to 
check that every run of the protocol, in the presence of an adversary, would be such that A's end assertion 
is always preceded by B's begin assertion, that is, A only ends if B was involved in the protocol. 

Using our framework, we can model correspondence assertions by representing the assertion as an 
output on a channel that is irrelevant to the protocol, and then observing the existence of such outputs with 
our logic. For instance, our example could be modeled as done in Fig. [13] (note the attacker_depth 
parameter set to 2 due to the size of the second message). We can also successfully handle the case 
where we consider a faulty system that leaks k to the attacker (and thus correspondence does not hold), 
as presented in Fig. [14] 

5 Concluding Remarks and Related Work 

In this paper we have introduced a dynamic spatial epistemic logic for a variant of the applied 7r-calculus 
aimed at reasoning about security protocols. We explore the application of spatial and epistemic rea- 
soning to the several agents involved in a security protocol, be they principals or adversaries. In our 
work, we can reason about the knowledge of the several agents of a protocol and how it can evolve over 
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time. Model-checking for the logic is shown to be decidable for an interesting class of processes and 
cryptographic primitives. 

Our framework allows an interesting degree of freedom in the analyses it can perform, not only 
allowing one to reason directly about knowledge of principals and attackers but also enabling reasoning 
with correspondence assertions, which is an important addition to the range of available techniques. 
Moreover, our internalization of attackers, which does not require a complete behavioral specification, is 
able to accurately emulate the behavior of a Dolev-Yao attacker, enabling reasoning about the dynamics 
and knowledge of such an attacker. 

Finally, the decidability result for our logic allowed us to implement a model-checking algorithm as a 
proof of concept extension to the SLMC tool. The main difference between the tool and the theory is that 
our attacker outputs are parametrized with a maximum message size, to bound the state space. This is the 
main limitation of the current version of our tool, since it does not yet fully capture the expressiveness of 
our attacker modeling, given that our results employ a more powerful version of the attacker output. 

Overall, we have produced an interesting framework for protocol analysis, the first employing dy- 
namic spatial logics, enabling a very natural (yet precise) way of reasoning about security protocols, 
all the while allowing reasoning with previously established techniques. Note, however, that our tool is 
merely a proof of concept of the developed framework, not aimed to compete with more mature tools 
for protocol analysis such as Avispa llH, Scyther |0, Casper llT3l or ProVerif [5|. The main point of 
divergence of our approach and the ones mentioned before is that instead of mainly focusing on a set of 
built-in properties, we focus on a generic property language (our logic) and explore its expressiveness. 

In terms of related logics, Kremer et al. lEl have proposed an epistemic logic for the applied n- 
calculus. However, their logic lacks the ability to reason about spatial properties, which is a key element 
in allowing reasoning about individual agents. Their epistemic modalities focus solely on attacker knowl- 
edge, not allowing one to state a property such as that of our introductory example where we care about 
the knowledge of the attacker but also of the agents within the system. 

Another closely related logic is Datta et al.'s PCL lITOl . PCL is a well established protocol analysis 
logic that allows one to verify properties of protocols modelled in a CCS style calculus by reasoning 
about events that occur in traces of the protocol run. While we focus on the combined reasoning about 
knowledge and spatial distribution of a protocol, PCL is designed to reason about the composition of 
several protocols and thus its analyses are more sophisticated than ours (reasoning about invariants in the 
protocol composition interleavings). 

Mardare and Priami have also proposed a dynamic epistemic spatial logic (15] without the issues 
of security in mind. Their logic is hence substantially different from ours, interpreting knowledge as 
the possibility of observing actions of other processes and not as the ability to know some piece of 
information. Being based on CCS, such an approach is not suitable for reasoning about the flow of 
messages within a system, which is one of our main goals. 

For future work we wish to further study the problem of attacker representations, aiming at an ex- 
pressiveness result along the lines of Theorem 14.6 I that does not require the attacker to be able to produce 
a message of an arbitrary size (this should follow from the result of [16]). This result will be key in 
removing the previously discussed limitation of our tool. 
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